Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Unable to SSH in to ASA with new created user

Hello. I have an ASA 5510 firewall running an older verison of code. I"m trying to create a new user account to log in but I can't seem to SSH with this account. ASDM works fine but SSH fails. I thought the command would have been: 

 

username newuser password usertest123 privilege 15

But I can't SSH with this. What am I missing?

 

Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)

 

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

I believe it's case-sensitive

I believe it's case-sensitive.

 aaa authentication ssh console LOCAL

 

7 REPLIES
Hall of Fame Super Silver

Does ssh work OK with other

Does ssh work OK with other local users?

If not, you may be missing:

     aaa authentication ssh console LOCAL

Community Member

I think this may be what's

I think this may be what's missing. Here's the error I received though when trying to add this to the configuration. I'm assuming I need to create this group?

 

FIrewall-ASA(config)# aaa authentication ssh console local
ERROR: aaa-server group local does not exist
Usage: [no] aaa mac-exempt match <mac-list-id>
        [no] aaa authentication secure-http-client
        [no] aaa authentication listener http|https <if_name> [port <port>] [redirect]
        [no] aaa authentication|authorization|accounting include|exclude <svc>
                <if_name> <l_ip> <l_mask> [<f_ip> <f_mask>] <server_tag>
        [no] aaa authentication serial|telnet|ssh|http|enable console
                <server_tag> [LOCAL]
        [no] aaa accounting telnet|ssh|serial|enable console <server_tag>
        [no] aaa authentication|authorization|accounting match
                <access_list_name> <if_name> <server_tag>
        [no] aaa authorization command {LOCAL | <tacacs_server_tag> [LOCAL]}
        [no] aaa accounting command {privilege <level>} <tacacs_server_tag>
        [no] aaa proxy-limit <proxy limit> | disable
        [no] aaa local authentication attempts max-fail <fail-attempts>
        clear configure aaa
        clear aaa local user {fail-attempts|lockout} {all | username <uname>}}
        show running-config [all] aaa [authentication|authorization|accounting
                |max-exempt|proxy-limit]
        show aaa local user [lockout]

 

Hall of Fame Super Silver

I believe it's case-sensitive

I believe it's case-sensitive.

 aaa authentication ssh console LOCAL

 

Community Member

Looks like you were right!

Looks like you were right! Definitely case sensitive. 

Another question on the topic. The enable password regardless of user is the same for all users correct? 

Hall of Fame Super Silver

For LOCAL users, yes - the

For LOCAL users, yes - the enable password is common between users.

If you use external authentication (and the user is authorized for enable), then they re-use their login password for enable access.

As of ASA 9.2 you can also allow direct login to enable level ("aaa authorization exec") as described in the Release Notes.

 

 

Super Bronze

Hi, In addition to what

Hi,

 

In addition to what Marvin suggested I would suggest simply checking the ASDM logs while the users tries to log in with SSH.

 

Also if there is others using SSH connections to the ASA I would confirm if the new users is in a different subnet and perhaps even behind another interface on the ASA and you perhaps have not allowed SSH connection from that subnet?

 

Check the output of the command

 

show run ssh

 

To check which users can connect with SSH to the ASA.

 

- Jouni

Community Member

Hi Jouni,The sh run ssh only

Hi Jouni,

The sh run ssh only shows me the subnets that are allowed to SSH in. No users in this list. 

516
Views
5
Helpful
7
Replies
CreatePlease to create content